##############################
# General configuration for pf
##############################
set hostid 0x280767bc
set state-policy if-bound
set limit table-entries 400000
set optimization normal
set limit states 402000
set limit src-nodes 402000

##############################
# Aliases used by the firewall
##############################
# System-defined aliases for interfaces
loopback = "{ lo0 }"
WAN = "{ em0 }"
table <WAN__NETWORK> persist { 192.168.254.0/24 2a07:7e84:1000:19a1::3001/128 }
WAN__NETWORK = "<WAN__NETWORK>"
WireGuard = "{ WireGuard }"
table <WIREGUARD__NETWORK> persist {  }
WIREGUARD__NETWORK = "<WIREGUARD__NETWORK>"

# System-defined aliases available to the user
table <bogons> persist file "/etc/bogons"
bogons = "<bogons>"
table <bogons> persist file "/etc/bogons"
bogons = "<bogons>"
table <bogonsv6> persist file "/etc/bogonsv6"
bogonsv6 = "<bogonsv6>"
#SSH Lockout Table
table <sshguard> persist
#Snort tables
table <snort2c>
table <virusprot>
_nexus_vpn_port_ = "{  }"
table <_loopback4_> {   127.0.0.0/8 }
_loopback4_ = "<_loopback4_>"
table <_loopback6_> {   ::1/128 }
_loopback6_ = "<_loopback6_>"
table <_loopback46_> {    127.0.0.0/8   ::1/128 }
_loopback46_ = "<_loopback46_>"
table <_linklocal4_> {   169.254.0.0/16 }
_linklocal4_ = "<_linklocal4_>"
table <_linklocal6_> {   fe80::/10 }
_linklocal6_ = "<_linklocal6_>"
table <_linklocal46_> {    169.254.0.0/16   fe80::/10 }
_linklocal46_ = "<_linklocal46_>"
table <_private4_> {   10.0.0.0/8  172.16.0.0/12  192.168.0.0/16 }
_private4_ = "<_private4_>"
table <_private6_> {   fc00::/7 }
_private6_ = "<_private6_>"
table <_private46_> {    10.0.0.0/8  172.16.0.0/12  192.168.0.0/16   fc00::/7 }
_private46_ = "<_private46_>"
table <_multicast4_> {   224.0.0.0/4 }
_multicast4_ = "<_multicast4_>"
table <_multicast6_> {   ff00::/8 }
_multicast6_ = "<_multicast6_>"
table <_multicast46_> {    224.0.0.0/4   ff00::/8 }
_multicast46_ = "<_multicast46_>"
table <_reserved4_> {   0.0.0.0/8  10.0.0.0/8  100.64.0.0/10  127.0.0.0/8  169.254.0.0/16  172.16.0.0/12  192.0.0.0/24  192.0.2.0/24  192.88.99.0/24  192.168.0.0/16  198.18.0.0/15  198.51.100.0/24  203.0.113.0/24  224.0.0.0/4  240.0.0.0/4  255.255.255.255/32 }
_reserved4_ = "<_reserved4_>"
table <_reserved6_> {   ::1/128  ::/128  ::ffff:0:0/96  64:ff9b::/96  64:ff9b:1::/48  100::/64  2001::/23  2001:2::/48  2001:db8::/32  2002::/16  3fff::/20  5f00::/16  fc00::/7  fe80::/10  ff00::/8 }
_reserved6_ = "<_reserved6_>"
table <_reserved46_> {    0.0.0.0/8  10.0.0.0/8  100.64.0.0/10  127.0.0.0/8  169.254.0.0/16  172.16.0.0/12  192.0.0.0/24  192.0.2.0/24  192.88.99.0/24  192.168.0.0/16  198.18.0.0/15  198.51.100.0/24  203.0.113.0/24  224.0.0.0/4  240.0.0.0/4  255.255.255.255/32   ::1/128  ::/128  ::ffff:0:0/96  64:ff9b::/96  64:ff9b:1::/48  100::/64  2001::/23  2001:2::/48  2001:db8::/32  2002::/16  3fff::/20  5f00::/16  fc00::/7  fe80::/10  ff00::/8 }
_reserved46_ = "<_reserved46_>"
table <_nat64reserved_> {   64:ff9b::0/104  64:ff9b::a00:0/104  64:ff9b::6440:0/106  64:ff9b::7f00:0/104  64:ff9b::a9fe:0/112  64:ff9b::ac10:0/108  64:ff9b::c000:0/120  64:ff9b::c000:200/120  64:ff9b::c058:6300/120  64:ff9b::c0a8:0/112  64:ff9b::c612:0/111  64:ff9b::c633:6400/120  64:ff9b::cb00:7100/120  64:ff9b::e000:0/100  64:ff9b::f000:0/100  64:ff9b::ffff:ffff/128 }
_nat64reserved_ = "<_nat64reserved_>"

# System gateways
GWWAN_DHCP = " route-to ( em0 192.168.254.10 ) "
GWWAN_DHCP6 = " route-to ( em0 fe80::92ec:77ff:fe1d:13ee%em0 ) "

##########################################
# Interfaces used with pf stats collection
##########################################
set loginterface em0

#################################
# Interfaces without pf filtering
#################################
set skip on pfsync0

############################################
# Preserve rule counters across rule updates
############################################
set keepcounters

##########################################
# Required rules for traffic normalization
##########################################
scrub from any to <vpn_networks>   fragment no reassemble
scrub from <vpn_networks> to any   fragment no reassemble
scrub on $WAN inet all    fragment reassemble
scrub on $WAN inet6 all    fragment reassemble

#######################################
# Rules for Network Address Translation
#######################################
no nat proto carp
no rdr proto carp
nat-anchor "natearly/*"
nat-anchor "natrules/*"

# Outbound NAT rules (automatic)
# Subnets to NAT
tonatsubnets	= "{ 127.0.0.0/8 ::1/128 }"
nat on $WAN inet from $tonatsubnets to any port 500 -> 192.168.254.25/32  static-port
nat on $WAN inet6 from $tonatsubnets to any port 500 -> 2a07:7e84:1000:19a1::3001/128  static-port
nat on $WAN inet from $tonatsubnets to any -> 192.168.254.25/32 port 1024:65535
nat on $WAN inet6 from $tonatsubnets to any -> 2a07:7e84:1000:19a1::3001/128 port 1024:65535

# NAT rules for the TFTP Proxy service
rdr-anchor "tftp-proxy/*"

#################################
# Extra rules from OpenVPN RADIUS
#################################
anchor "openvpn/*"

###############################
# Extra rules from IPsec RADIUS
###############################
anchor "ipsec/*"

################################################################
# Rules to block NAT64 translation for non-global IPv4 addresses
################################################################
block in log quick inet6 from any to <_nat64reserved_> ridentifier 1000000001 label "descr=Block NAT64 for non-global IPv4"
block out log quick inet6 from any to <_nat64reserved_> ridentifier 1000000002 label "descr=Block NAT64 for non-global IPv4"

########################################
# Rules to block IPv4 link-local packets
########################################
# Block IPv4 link-local. Per RFC 3927, link local "MUST NOT" be forwarded by
# a routing device, and clients "MUST NOT" send such packets to a router.
# FreeBSD won't route 169.254./16, but route-to can override that, causing
# problems such as in redmine #2073
block in log quick from 169.254.0.0/16 to any ridentifier 1000000101 label "descr=Block IPv4 link-local"
block in log quick from any to 169.254.0.0/16 ridentifier 1000000102 label "descr=Block IPv4 link-local"

#####################################################
# Required rules for the default-deny filter behavior
#####################################################
block in log inet all ridentifier 1000000103 label "descr=Default deny rule IPv4" label "tags=ruleset:5e585a53bdd3890f"
block out log inet all ridentifier 1000000104 label "descr=Default deny rule IPv4" label "tags=ruleset:5e585a53bdd3890f"
block in log inet6 all ridentifier 1000000105 label "descr=Default deny rule IPv6" label "tags=ruleset:5e585a53bdd3890f"
block out log inet6 all ridentifier 1000000106 label "descr=Default deny rule IPv6" label "tags=ruleset:5e585a53bdd3890f"

###################################
# Required rules for IPv6 operation
###################################
# IPv6 ICMP is not auxiliary, it is required for operation
# See man icmp6(4)
# 1    unreach         Destination unreachable
# 2    toobig          Packet too big
# 128  echoreq         Echo service request
# 129  echorep         Echo service reply
# 133  routersol       Router solicitation
# 134  routeradv       Router advertisement
# 135  neighbrsol      Neighbor solicitation
# 136  neighbradv      Neighbor advertisement
pass  quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} ridentifier 1000000107 keep state

##############################################
# Required rules for general IPv6 connectivity
##############################################
# Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep)
pass out  quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} ridentifier 1000000108 keep state
pass out  quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} ridentifier 1000000109 keep state
pass in  quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} ridentifier 1000000110 keep state
pass in  quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} ridentifier 1000000111 keep state
pass in  quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} ridentifier 1000000112 keep state
pass in  quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type {128,133,134,135,136} ridentifier 1000000113 keep state

#########################################
# Rules to drop invalid packets on port 0
#########################################
# We use the mighty pf, we cannot be fooled.
block log quick inet proto { tcp, udp } from any port = 0 to any ridentifier 1000000114 label "descr=Block traffic from port 0"
block log quick inet proto { tcp, udp } from any to any port = 0 ridentifier 1000000115 label "descr=Block traffic to port 0"
block log quick inet6 proto { tcp, udp } from any port = 0 to any ridentifier 1000000116 label "descr=Block traffic from port 0"
block log quick inet6 proto { tcp, udp } from any to any port = 0 ridentifier 1000000117 label "descr=Block traffic to port 0"

################################################
# Rules to block packets matched by IDS packages
################################################
block log quick from <snort2c> to any ridentifier 1000000118 label "descr=Block snort2c hosts"
block log quick from any to <snort2c> ridentifier 1000000119 label "descr=Block snort2c hosts"

#######################################################
# Rules for blocklisted hosts accessing the SSH service
#######################################################
block in log quick proto tcp from <sshguard> to (self) port 22 ridentifier 1000000301 label "descr=sshguard"

##################################################
# Rules for blocklisted hosts accessing the WebGUI
##################################################
block in log quick proto tcp from <sshguard> to (self) port 443 ridentifier 1000000351 label "descr=GUI Lockout"

#######################################################
# Rules to block packets matched by anti-virus packages
#######################################################
block in log quick from <virusprot> to any ridentifier 1000000400 label "descr=virusprot overload table"

#################################################
# Rules to prevent DHCP leaks in multi-WAN setups
#################################################
block out quick proto udp from any port = 67 to any port = 68 tagged "dhcpin" ridentifier 1000000451 label "descr=Prevent routing dhcp responses"

#########################
# Default interface rules
#########################
# allow our DHCP client out to the WAN
pass in  quick on $WAN proto udp from any port = 67 to any port = 68 tag "dhcpin" no state ridentifier 1000000461 label "descr=allow dhcp replies in WAN"
pass out  quick on $WAN proto udp from any port = 68 to any port = 67 no state ridentifier 1000000462 label "descr=allow dhcp client out WAN" 
# Not installing DHCP server firewall rules for WAN which is configured for DHCP.

# allow our DHCPv6 client out to the WAN
pass in  quick on $WAN proto udp from fe80::/10 port = 546 to fe80::/10 port = 546 ridentifier 1000000463 label "descr=allow dhcpv6 client in WAN"
pass in  quick on $WAN proto udp from any port = 547 to any port = 546 ridentifier 1000000464 label "descr=allow dhcpv6 client in WAN"
# Add Priority to dhcp6c packets if enabled
pass out  quick on $WAN proto udp from any port = 546 to any port = 547 ridentifier 1000000465 label "descr=allow dhcpv6 client out WAN" 

# block bogon networks (IPv4)
# https://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt
block in log quick on $WAN from <bogons> to any ridentifier 11001 label "descr=block bogon IPv4 networks from WAN"

# block bogon networks (IPv6)
# https://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt
block in log quick on $WAN from <bogonsv6> to any ridentifier 11002 label "descr=block bogon IPv6 networks from WAN"

# Required rules for antispoof protection
antispoof log for $WAN ridentifier 1000001470

#####################################
# Required rules for loopback traffic
#####################################
pass in  on $loopback inet all ridentifier 1000002561 label "descr=pass IPv4 loopback"
pass out  on $loopback inet all ridentifier 1000002562 label "descr=pass IPv4 loopback"
pass in  on $loopback inet6 all ridentifier 1000002563 label "descr=pass IPv6 loopback"
pass out  on $loopback inet6 all ridentifier 1000002564 label "descr=pass IPv6 loopback"

##########################################################
# Required rules for traffic from the firewall host itself
##########################################################
pass out  inet all keep state allow-opts ridentifier 1000002565 label "descr=let out anything IPv4 from firewall host itself"
pass out  inet6 all keep state allow-opts ridentifier 1000002566 label "descr=let out anything IPv6 from firewall host itself"
pass out  route-to ( em0 192.168.254.10 ) from 192.168.254.25 to !192.168.254.0/24 ridentifier 1000002661 keep state allow-opts  label "descr=let out anything from firewall host itself"
pass out  route-to ( em0 fe80::92ec:77ff:fe1d:13ee%em0 ) inet6 from 2a07:7e84:1000:19a1::3001 to !2a07:7e84:1000:19a1::3001/64 ridentifier 1000002662 keep state allow-opts  label "descr=let out anything from firewall host itself"

#######################################################
# Rules to prevent accidental lockout from the firewall
#######################################################
pass in  quick on em0 proto tcp from any to (em0) port { 443 80 } ridentifier 10001 keep state label "descr=anti-lockout rule"

#######################
# Anchor for user rules
#######################
anchor "userrules/*"

#####################################
# Interface rules defined by the user
#####################################
# array key "lan" does not exist for "Default allow LAN to any rule" in array: {WAN WireGuard }
# array key "lan" does not exist for "Default allow LAN IPv6 to any rule" in array: {WAN WireGuard }

# Rules for WAN
pass  in  quick  on $WAN reply-to ( em0 192.168.254.10 ) inet from any to any ridentifier 1766393690 keep state label "id=1766393690" label "tags=user_rule"
pass  in  quick  on $WAN reply-to ( em0 192.168.254.10 ) inet proto tcp  from any to any ridentifier 1766393877 flags S/SA keep state label "id=1766393877" label "tags=user_rule" label "descr=test"

##################################
# Rules for the TFTP Proxy service
##################################
anchor "tftp-proxy/*"
